Is your WordPress website secure?

How Secure Is Your WordPress Website

How secure is your website? If something would happen how long would it take for you to get your website up and running again? Can you get it up and running again?

Today I will show you how to secure your website.

Web Security

Web Security
Web Security

Unfortunately, there are *ssholes out there that wish to ruin your day by hacking your website or taking it down by doing a DDoS attack or something similar.

It can happen. It can happen to you, it can happen to your friend, it can happen to me… probably not me though because I think my website is pretty secure.

I have a couple of plugins that secure my website from being hacked.

  • Google Authenticator
  • Wordfence

I will go by each of them but do note that you don’t need them to make your website fully active. You can live without them but if you want your website to be secure I highly suggest you install either 1 of the plugins or both.

Google Authenticator

Google Authenticator App
Google Authenticator App

Go ahead and visit my login page. I know you know the URL of my login page. It is the same for every WordPress website. The URL is or

Go ahead and take a look. I don’t mind.

You probably noticed that underneath the normal username and password screen there’s an extra field called “Google Authenticator”.

Google Authenticator
Google Authenticator

That is what we call a “Multi-Factor Authenticator”. When I login with my credentials but not enter the “Google Authenticator Code” I get the following error message:

Google Authenticator Wrong Code or Expired
Google Authenticator Wrong Code or Expired

That’s right. If you don’t have the “Google Authenticator Code” you cannot log in to my website.

So… where do I get the “Google Authenticator Code”? From my mobile phone. In order to log in, I need to open my smartphone then open Google Authenticator and fill in the code that I see on my smartphone.

Google Authenticator Screen
Google Authenticator Screen

This code refreshes every 30 seconds so the code you see right now on the screen already expired as of the end of this sentence. How cool is that?

This means that even if you know my username (which is easy to find) and even if you know what my password is (which is VERY hard to find) you still won’t be able to login because you don’t have my smartphone.

I use a plugin called the Google Authenticator which you can find here:

I will highlight what they have written on their description because they already explained it very awesomely (why is awesomely a word and not awesomest?)

The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail/Dropbox/Lastpass/Amazon etc.

The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.

How awesome is that right?

Also… do remember that WordPress isn’t the only website that has “Google Authenticator”. This is a screenshot from my “Google Authenticator” on my smartphone.

My Google Authenticator Screenshot
My Google Authenticator Screenshot

I never want to have secrets. I always want to be transparent but I do hope that you understand that I have to black out some information on my “Google Authenticator” screenshot.

This trick can help against people who try to login to your website without your knowledge but your website might still be vulnerable against malware or viruses. Which leads me to my second plugin called…



WordFence is probably THE tool to have to protect your website against malware, viruses, hack attempts and so much more.

Every website that I have/own is equipped with WordFence and usually, it’s the first one I install right after installing WordPress.


WordPress has a built-in Web Application Firewall that identifies and blocks malicious traffic. There are a ton of hackers and most of them have been identified by their IP address so WordFence automatically blocks them for you.

It protects your website from brute force attacks by limiting login attempts, enforcing strong passwords and much more.


It has a built-in malware scanner that regularly checks the core files of WordPress, the themes and plugins, bad URLs, backdoors and the list goes on.

If it does detect something that might be suspicious it sends you an e-mail warning you.


I could go on and on telling you how great WordFence is but I believe that the developers already listed out how awesome their product is. You can find their plugin right here:

The plugin has a premium option which is not that expensive but you can make do with the free option.

Keep your Plug-Ins up-to-date

WordPress Updates ARE Important
WordPress Updates ARE Important

I know it can be a hassle to see that, every time you log in, there is an update for some plugin and you have to install them every time you see them when you log in but you have to keep your plug-ins up-to-date EVERY TIME YOU LOG IN.

They have security fixes or compatibility fixes which only benefits your website. I know it’s a hassle but keep them up-to-date. You will not regret it.

Even if you don’t update your plugins, WordFence will remind you that you need to. You’ll get an e-mail from WordFence whenever an update is not installed after 2 days.


Make it hard for those *ssholes. If they do hack into your website, which will be hard if you have installed the plugins, make sure you make them sweat and cry for their momma’s.

But even though you have “Google Authenticator”, WordFence and you keep your plug-ins up-to-date it might still happen that those *ssholes hack your website. And when they do you need to get your website up and running as fast as possible.

That means that we’re going to talk about back-ups and how to back-up your website and then restore your website.

This will be an article for next week.

Thanks for reading,

Engin Soysal